In the previous articles, we made an introduction to the LACS approach and why it’s important to navigate through the complex world of cyber defense. If you have not read them, feel free to check them out: LACS Volume 1 and LACS Volume 2. You can also listen to my interview with Sascha Schumann, where we cover topics closely related to cyber risk assessment and LACS.
THE BEST DEFENCE IS A GOOD OFFENCE
Governments, intelligence agencies, law enforcement, and private companies are evaluating the possibility of adopting offensive approaches to defend their assets from cyber attacks.
While in private industry the concept of an offensive approach to cybersecurity is relatively new, the idea has been extensively evaluated in government and military environments. In these settings, offensive cybersecurity has long been debated. Countries have gone to great lengths to develop systems that can respond if an attack is detected.
In this article, we will go over the first two phases in the offensive approach. You can find a brief overview of the phases below.
- Planning – Counter defense, battle planning, attack options, risk assessment
- Reconnaissance – Advantage reconnaissance, espionage, situational awareness
An offensive approach is considered to be highly efficient in case you are protected legally and have the green light from the authorities. Remember it’s a highly aggressive method of defense and is regulated by law across industries, in developed countries. I would not advise you repeat this at home unless you have strong reasons to do so.
Planning is a crucial phase for institutions. Having a good action plan for every single incident that includes a cyber breach can be a good starting point, but that’s not enough.
Businesses need to approach cybersecurity with the assumption that being attacked is inevitable. Attacks are on the rise and companies of all types and sizes are at risk. The right questions should be raised at the right time. Plans should be up-to-date and flexible so that they can be adjusted based on demand. If an organization decides to go on the offensive, they have to be prepared to fight a war game with hackers and competitors, and as you know, even a brilliant plan won’t work in every case. Instead, you should have short-term plans ready to respond to specific situations.
”Invincibility lies in the defence; the possibility of victory in the attack.”
― Sun Tzu, The Art of War
During the planning of your offence, you should consider the following points:
- The main points of contact in your organization that hold the decision making power
- Elements of the infrastructure which hold the highest likelihood of attack
- Departments which have been previously attacked or affected by social engineering
- Departments that have the most significant volume of freshly hired employees
- Contracts signed with vendors or partners and public announcements accordingly
- Vendor and partner infrastructure protection
- Vendor and partner employee education
- Software and Hardware assets that control financial transaction or hold points of access
- Parts of your network which are constantly under DDOS attacks
- Vendor software that is used to keep your source code
- Vendor servers that provide you an infrastructure and domain(s)
- Third-party applications or frameworks used in your business
- Vendor Software that is supported in your day-to-day operations
The reconnaissance phase includes crucial information about your potential attackers, your employees, and competitors. It can be achieved and summarised using a reasonably simple list:
- Regular checks and education of employees
- Risk assessment of partner and vendor infrastructure
- Monitoring of company infrastructure and network
- Ethical hacking of local and external infrastructure
- Automated bots checking source code
- Monitoring of public breaches for competing companies
- Hack attempts with limited impact
- Constant monitoring of publicly available information regarding latest cyber breaches
- Monitoring of public posts and announcements where the company name is mentioned
- Constant monitoring of external and internal communication for the signs of social engineering
- Tracking of the most notorious hackers and their activities
- Using smart plan adjustments based on public data for breaches and attacks
- Constantly perform spying, social engineering attacks for possible attackers
- Constantly test and attack the network of possible attackers without actual breaches
- Identify badly protected access points of the possible enemy
- Espionage on personal data of the possible enemy
- Collaboration with law enforcement structures, sharing information gained from ethical hacking or espionage
- Decryption attempts for passwords or keys stored in publicly shared resources
- Phishing attacks from well-covered sources
- Hidden cells in enemy organizations with high readiness to perform a data leak
- Sleeping viruses planted in enemy organizations
- Meetings with decision makers in enemy organizations
- Collaboration with other hackers who have the same target as your organization, to have readiness of attack response and collective computing power in case a response is needed
This list can go on endlessly, however, my goal is not to teach you how to hack your enemies, but explain how dangerous this approach can become in the case you get deep into the game.
Remember, the more data you have the better prepared you are. The most important thing is not to be dogmatic and be ready to adjust the defense plans based on data received from reconnaissance. War is a complicated and exhausting process, so be prepared to act fast.
In the coming articles I am going to cover, in detail, the two last action points in an offensive approach:
- Proactive defense
To be honest, I try to avoid this particular approach, but sometimes it can be highly efficient if you are ready to face risks and get into a long-lasting war with cybercriminals or competing groups. But the choice depends on how well you are covered legally and financially to be able to win this fight.